Merge branch 'security-bw-confidential-titles-through-markdown-api' into 'master'

[master] Confidential issue/private snippet titles can be read by unauthenticated user through GFM markdown API Closes #2706 See merge request gitlab/gitlabhq!2507
author: Bob Van Landuyt <bob@gitlab.com> 2018-10-05 20:47:52 +0300
committer: Bob Van Landuyt <bob@gitlab.com> 2018-10-05 20:47:52 +0300
commit: 36bd07838263f709b0ca9af4830ee75cde7e8f97 (patch)
tree: b64f4170048b6299b45e8b50900584ac58af5984 /spec
parent: d26bf613b45066b3d2c78ef539cffc109cc39064 (diff)
parent: 829c9c65f9b730b3ecad7d3ba222e3dcd6489b85 (diff)
1 files changed, 46 insertions, 0 deletions
diff --git a/spec/requests/api/markdown_spec.rb b/spec/requests/api/markdown_spec.rb
index a55796cf343..e369c1435f0 100644
--- a/spec/requests/api/markdown_spec.rb
+++ b/spec/requests/api/markdown_spec.rb
@@ -106,6 +106,52 @@ describe API::Markdown do
                                         .and include("#1</a>")
           end
         end
+
+        context 'with a public project and confidential issue' do
+          let(:public_project)     { create(:project, :public) }
+          let(:confidential_issue) { create(:issue, :confidential, project: public_project, title: 'Confidential title') }
+
+          let(:text)   { ":tada: Hello world! :100: #{confidential_issue.to_reference}" }
+          let(:params) { { text: text, gfm: true, project: public_project.full_path } }
+
+          shared_examples 'user without proper access' do
+            it 'does not render the title or link' do
+              expect(response).to have_http_status(201)
+              expect(json_response["html"]).not_to include('Confidential title')
+              expect(json_response["html"]).not_to include('<a href=')
+              expect(json_response["html"]).to include('Hello world!')
+                                          .and include('data-name="tada"')
+                                          .and include('data-name="100"')
+                                          .and include('#1</p>')
+            end
+          end
+
+          context 'when not logged in' do
+            let(:user) { }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as user without access' do
+            let(:user) { create(:user) }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as author' do
+            let(:user) { confidential_issue.author }
+
+            it 'renders the title or link' do
+              expect(response).to have_http_status(201)
+              expect(json_response["html"]).to include('Confidential title')
+              expect(json_response["html"]).to include('Hello world!')
+                                          .and include('data-name="tada"')
+                                          .and include('data-name="100"')
+                                          .and include("<a href=\"#{IssuesHelper.url_for_issue(confidential_issue.iid, public_project)}\"")
+                                          .and include("#1</a>")
+            end
+          end
+        end
       end
     end
   end
author	Bob Van Landuyt <bob@gitlab.com>	2018-10-05 20:47:52 +0300
committer	Bob Van Landuyt <bob@gitlab.com>	2018-10-05 20:47:52 +0300
commit	36bd07838263f709b0ca9af4830ee75cde7e8f97 (patch)
tree	b64f4170048b6299b45e8b50900584ac58af5984 /spec
parent	d26bf613b45066b3d2c78ef539cffc109cc39064 (diff)
parent	829c9c65f9b730b3ecad7d3ba222e3dcd6489b85 (diff)